Articles Tagged ‘Catalyst Switches’

The 'Cisco KnowledgeBase' section is one of the newest and most popular section on Firewall.cx. Dedicated to Cisco's leading technological inovations, this section offers articles covering multiple categories such Cisco Routers, Switches, Voice over IP and much more.

All articles are written by qualified engineers with years of experience and are complimented by our unique diagrams.

The quality of provided information is so high, readers can use it as a guideline for learning Cisco Technologies, but also for self-study exams.

Our previous article shows how to perform a password recovery on the Cisco Catalyst switches. This article will now explain how to disable or enable the Cisco password recovery service allowing network engineers and administrators to further secure their Cisco equipment.

The password recovery mechanism is enabled by default which means anyone with physical access to the switch is able to initiate the process and gain access to the switch or stack’s configuration. In some environments this might be a major security concern which is why Cisco provides the option to disable the password recovery mechanism.

In cases where the mechanism is disabled the only option available to gain access to the switch is to delete its startup configuration.

How to Disable or Enable the Password Recovery Service on Cisco Catalyst Switches

Disabling the password recovery mechanism is achieved by using the no service password-recovery command in global configuration mode as shown below:

This article shows how to reset a password on a Cisco Catalyst 3750-X (stacked or single unit) and Cisco Catalyst 3560-x switch without losing its startup configuration. The Cisco password recovery procedure involves interrupting the switch’s normal boot procedure, renaming the flash:config.text (that’s the startup-config file for switches) to something else e.g flash:config.text.old so that the configuration file is skipped during bootup.

Once the switch has loaded its operating system we can enter privileged-exec mode, rename back the flash:config.text.old to flash:config.text(startup-config), copy the startup-config file to memory (DRAM), make the necessary password changes and save the configuration.

Password Recovery – Reset Procedure

The procedure described below assumes the password recovery mechanism is enabled (by default, it is) and there is physical access to the switch or stack (3750-X only).

Note: If this procedure is being performed on a 3750-X stack, it is important to understand that all switches participating in the stack should be powered off and only the Master switch is powered on when initiating the password recovery procedure. The Master switch can be easily identified by searching for the switch with the green “Master” LED on.

Step 1

On a 3750-X switch, Power off the entire stack or standalone switch. On a Catalyst 3560-X switch, power off the switch. Connect your console cable to the switch – 3750-X Master or the standalone switch.

Step 2

Reconnect the power to the switch (standalone 3750-X or 3750-X) or stack master (3750-X stack only). Within 10 seconds, press and hold the Mode button while the System LED is flashing green. After the System LED turns amber and then solid green, release the Mode button.

If the process has been followed correctly, the following message should be displayed:

The system has been interrupted prior to initializing the flash file system. The following commands will initialize the flash file system and finish loading the operating system software:

flash_init

load_helper

boot

Step 3

Now initialize the flash file system, rename the startup configuration file (config.text) and boot the IOS:

Running Spanning Tree Protocol (STP) in a large network environment can be a challenging task especially when features/enhancements such as BPDU Filter and BPDU Guard need to be configured to help STP adapt to the network infrastructure requirements.

The key to a successful STP deployment is understanding how each STP feature should be used and implemented.

Understanding and Configuring BPDU Guard

BPDU Guard is an STP enhancement which, when enabled, will place a port in the errdisable mode when it receives any BPDU packet from that port.

BPDU Guard is usually configured on access layer ports where we are not expecting to see any BPDU packets arriving from devices connected to these ports e.g computers, printers, IP phones or other user-end devices.

Ports used as uplinks or downlinks to other switches should not have BPDU Guard enabled as these are more likely to have BPDU packets transmitted and received as switches actively monitor for network loops.

BPDU Guard can be configured either in Global mode or Interface mode.

When configured in Global mode the feature is enabled globally for all switch ports configured with port-fast configuration. Port-Fast is an STP feature configured at each individual port that forces the port to go directly into a forwarding state rather than through the normal STP states (Listening, Learning, Forwarding).

While port-fast is a very handy feature that forces a network port to transition immediately to the forwarding state (similar to an unmanaged switch), it must be used with caution as STP won’t be able to immediately detect a network loop through a Port-Fast enabled port.

To configure BPDU Guard in Interface mode use the spanning-tree bpduguard enable command under the interface:

SW2(config-if)# spanning-tree bpduguard enable

Note: It is important to keep in mind that if the interface is configured as an access port, with port-fast enabled, and receives a BPDU packet it will automatically be disabled and placed in an errdisabled state.

To help illustrate how BPDU Guard works, we’ve configured port G1/0/1 on our 3750-X as an access link with port-fast and BPDU Guard enabled:

Figure 1. Spanning Tree BPDU Guard configuration and example

interface GigabitEthernet1/0/1

switchport mode access

switchport access vlan 2

spanning-tree portfast

spanning-tree bpduguard enable

Next, we connect another switch (rogue switch) running spanning tree protocol to port G1/0/1 on SW2. As soon as a BPDU packet is received on G1/0/1, here’s how SW2 reacted:

NIC Teaming, also known as Windows Load Balancing or Failover (LBFO), is an extremely useful feature supported by Windows Server 2012 that allows the aggregation of multiple network interface cards to one or more virtual network adapters. This enables us to combine the bandwidth of every physical network card into the virtual network adapter, creating a single large network connection from the server to the network. Apart from the increased bandwidth, NIC Teaming offers additional advantages such as: Load balancing, redundant links to our network and failover capabilities.

There are two basic NIC Teaming configurations: switch-independent teaming & switch-dependent teaming. Let’s take a look at each configuration and its advantages.

Switch-Independent Teaming

Switch-independent teaming offers the advantage of not requiring the switch to participate in the NIC Teaming process. Network cards from the server can connect to different switches within our network.

Switch-independent teaming is preferred when bandwidth isn’t an issue and we are mostly interested in creating a fault tolerant connection by placing a team member into standby mode so that when one network adapter or link fails, the standby network adapter automatically takes over. When a failed network adapter returns to its normal operating mode, the standby member will return to its standby status.

Switch-dependent teaming requires the switch to participate in the teaming process, during which Windows Server 2012 negotiates with the switch creating one virtual link that aggregates all physical network adapters’ bandwidth. For example, a server with four 1Gbps network cards can be configured to create a single 4Gbps connection to the network.

Load Balancing Mode - Load Distribution Algorithms

Load distribution algorithms are used to distribute outbound traffic amongst all available physical links, avoiding bottlenecks while at the same time utilizing all links. When configuring NIC Teaming in Windows Server 2012, we are required to select the required Load Balancing Mode that makes use of one of the following load distribution algorithms:

Hyper-V Switch Port: Used primarily when configuring NIC Teaming within a Hyper-V virtualized environment. When Virtual Machine Queues (VMQs) are used a queue can be placed on the specific network adapter where the traffic is expected to arrive thus providing greater flexibility in virtual environments.

Address Hashing: This algorithm creates a hash based on one of the characteristics listed below and then assigns it to available network adapters to efficiently load balance traffic:

Distributes outgoing traffic based on a hash of the TCP Ports and IP addresses with real-time rebalancing allowing flows to move backward and forward between networks adapters that are part of the same group.

Inbound traffic is distributed similar to the Hyper-V port algorithm

Dynamic: The Dynamic algorithm combines the best aspects of the two previous algorithms to create an effective load balancing mechanism. Here’s what it does:

The Dynamic algorithm is the preferred Load Balancing Mode for Windows 2012 and the one we are covering in this article.